NimbostratusI have a request to log client IP address for SSH port 22 connections and attempts. The issue they have that they see numerous logins attempts with Root, guest, admin user IDs and wrong password, any help is appreciated.
EmployeeAt the very least:
when CLIENT_ACCEPTED {
log local0. "Request for service at port [TCP::local_port] from [IP::client_addr]"
}
That should log the client source address for any incoming TCP session, but it will not log the usernames/passwords in the SSH sessions.
NimbostratusHow can I send the logs to remote server? and can this be run on the GTM?
EmployeeTake a look at the HSL:: commands for remote logging:
https://devcentral.f5.com/wiki/iRules.HSL__send.ashx
I would also add that the above only works for SSH traffic passing through the BIG-IP (via a virtual server), not for SSH traffic to the BIG-IP (management). And since SSH traffic wouldn't normally pass through a GTM, this iRule wouldn't really make sense. I probably should have asked, but are you trying to log SSH to the BIG-IP, or through it?
NimbostratusThank you Kevin for your help, my knowledge with iRules is very little. Here is what I need to do: I have a farm that has http, https, and SSH virtual servers. (X-Forward-For can work with http/https but not SSH). 1- I need to log all clients IPs that tries to access those VS to another server so it will not over loading the local drive on the BIG-IP. 2- If the IP of the remote server is 192.168.xx.xx how the iRule will look like, I tried this!! >> when CLIENT_ACCEPTED {
log local0 192.168.xx.xx "Request for service at port [TCP::local_port] from [IP::client_addr]" }
3- On the remote server, where can the logs be found? 4- Do I need any tools to reed the logs or it will be in a txt file? If a tool needed can you suggest one please. Thanks again Kevin.
NimbostratusYou can do as below
when CLIENT_ACCEPTED { log 192.168.xx.xx local0.info "Request for service at port [TCP::local_port] from [IP::client_addr]" }
The logs will be in text format. The file location will be defined in /etc/syslog.conf(assuming *nix system) in the remote syslog server
On the remote syslog server, you have to enable remote syslog for the syslog clients, in this case bigip IP address.
http://www.freebsd.org/doc/handbook/network-syslogd.html
You can test it using 'logger' cmd from bigip, before testing with iRule.
logger -h 192.168.xx.xx -p local0.info "Testing"
EmployeeIf I may add, Kunjan is absolutely correct. The log statement in iRules sends traffic to a Syslog server. Without an IP address specified, it sends the message to the local Syslog server. You need a remote server that is running a Syslog instance and is configured to capture messages for the facilities that you're sending (ie. local0.info). Setting up a Syslog server isn't overly difficult, but can be different depending on your environment.
I would also add that HSL is a WAY better option here. Using the Log command will work, but 1) there's generally a limit to how many of those you can send out, and 2) the syslog traffic must pass through the management plane of the BIG-IP, which can induce some CPU spikes. HSL (high speed logging) is processed completely within the data plane and doesn't have the same limitations.